Mais conteúdo relacionado
Semelhante a OAuth and OpenID Connect for Microservices (20)
OAuth and OpenID Connect for Microservices
- 1. OAuth and OpenID Connect for Microservices
A homogenous solution for a heterogeneous problem!
Jacob Ideskog – Identity Specialist at Twobo Technologies!
Copyright © 2014 Twobo Technologies AB. All rights reserved
- 2. Copyright © 2014 Twobo Technologies AB. All rights reserved
A Traditional Service
- 3. With Traditional Subsystems
Copyright © 2014 Twobo Technologies AB. All rights reserved
Component C
Component D
Component A
Component B
- 4. … and traditional scalability
Copyright © 2014 Twobo Technologies AB. All rights reserved
- 5. But this is not always how we build systems
Copyright © 2014 Twobo Technologies AB. All rights reserved
- 9. So what’s the problem?
Copyright © 2014 Twobo Technologies AB. All rights reserved
- 11. Securing a traditional service
Copyright © 2014 Twobo Technologies AB. All rights reserved
User repository
- 12. So for microservices that would mean
Copyright © 2014 Twobo Technologies AB. All rights reserved
User repository
- 14. Lets talk about OAuth
It’s not for Authentication
…and not for Authorization
OAuth is a scalable delegation protocol
Copyright © 2014 Twobo Technologies AB. All rights reserved
- 15. OAuth has 4 actors
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Copyright © 2014 Twobo Technologies AB. All rights reserved
- 16. The client requests access
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Copyright © 2014 Twobo Technologies AB. All rights reserved
- 17. The AS requires the RO to authenticate
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Copyright © 2014 Twobo Technologies AB. All rights reserved
- 18. The AS issues the tokens
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Copyright © 2014 Twobo Technologies AB. All rights reserved
- 19. The Client presents the token to the RS
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Copyright © 2014 Twobo Technologies AB. All rights reserved
- 20. The RS validates the Token
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Copyright © 2014 Twobo Technologies AB. All rights reserved
- 21. Access!
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Copyright © 2014 Twobo Technologies AB. All rights reserved
- 22. One very important thing"
"
- The Client knows nothing about the user
Copyright © 2014 Twobo Technologies AB. All rights reserved
- 23. Open ID Connect"
(Simplified)
Copyright © 2014 Twobo Technologies AB. All rights reserved
- 24. Request Access
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
ClientResource Server (RS)
Sessions
MyMail.com
- 25. Get Redirected to AS
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
ClientResource Server (RS)
Sessions
MyMail.com
- 26. Challenged
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
ClientResource Server (RS)
Sessions
MyMail.com
- 27. Now – an ID Token ( ) is also given
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
ClientResource Server (RS)
Sessions
MyMail.com
- 28. Sessions can be created (SSO)
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
ClientResource Server (RS)
Sessions
MyMail.com
- 29. Tada!
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
ClientResource Server (RS)
Sessions
MyMail.com
- 32. The ID Token is a JWT"
(JSON Web Token)
Copyright © 2014 Twobo Technologies AB. All rights reserved
- 33. A signed JSON document
{
}
{
"iss":
"https://fs.oidc.net",
"x5t":
"5F0A1359B4BB9FBB104155908DEC1FDCB5AC8865",
"typ":
"JWT",
"alg":
"RS256”
"sub":
"janedoe",
"name"
:
"Jane
Doe",
"email"
:
"jane@doe.com",
"phone_number"
"+46
(0)
12345678",
"aud":
"https://mymail.com",
"iss":
"https://fs.oidc.net",
"nbf":
1409213888783,
"jti":
"622a9973-‐fc4d-‐4797-‐be31-‐7c2116f549df",
"exp":
1409213890583,
"iat":
1409213888783
}
Copyright © 2014 Twobo Technologies AB. All rights reserved
Certificate
Signature
orQOOKvXN3jbEpBSl0RHAyaQNxcx9DFgtMsJJgMxm9Az6QJMKKy6m0
WvP1UzXZA_nsK16g9etg2yEW9IXbQU0RbSQktUtObRB9SxHtW_AcCk6
93XDAz15Y4aP9DeD62nROzd1MS4FZTmY3Cgzo1-3-
sqW6_4Rgzs94aLO3aLP_zoVtJycCUKtJQhGhPTyjXXYWMsp0E4uTtL8Ri
f7cWu4olme_XNFlAs73pOrfzsQYc1GD2dB70l1M8SDaJZFURr9jAAaavX
7Xqs_FPXY1PZLXLbc3ARXFmRf_-
Z4B6uLCGI2shzl12ni54Yun6dflL9rQwaxXYuNZZodUWchID2cA
- 34. OAuth Access Tokens can also be JWTs
Copyright © 2014 Twobo Technologies AB. All rights reserved
- 35. 2 types of tokens
Copyright © 2014 Twobo Technologies AB. All rights reserved
123XYZ
Jane Doe
By Value
By Reference
- 36. By Reference
Contains NO information outside the network
Copyright © 2014 Twobo Technologies AB. All rights reserved
123XYZ
Jane Doe
- 38. External vs. Internal
By ReferenceBy Value
123XYZ
Outside the network
Inside the network
Copyright © 2014 Twobo Technologies AB. All rights reserved
API Firewall /
Reverse Proxy
API
- 39. Token Translation
By ReferenceBy Value
123XYZ
Outside the network
Inside the network
Copyright © 2014 Twobo Technologies AB. All rights reserved
API Firewall /
Reverse Proxy
API
- 41. 2 Problems"
"
- Identifying the user"
- Creating sessions"
Copyright © 2014 Twobo Technologies AB. All rights reserved
- 42. Leave authentication to the OAuth/OIDC server
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
- 43. Let all Microservices accept JWTs
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
- 45. Let all Microservices accept JWTs
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Reverse Proxy
123
XYZ
- 46. - everything is self contained"
- standards based"
- non-reputable"
- scalable
Copyright © 2014 Twobo Technologies AB. All rights reserved
Conclusion